ssl (Blog)http://www.turnkeylinux.org/blog/term/80/0
enSelf signed and trusted SSL certificateshttp://www.turnkeylinux.org/blog/ssl-certificates
<p>Keeping it simple, HTTPS is a combination of the HTTP and SSL/TLS protocols, which provides encryption while authenticating the server. The main idea is to create a secure channel over an insecure network, ensuring &quot;reasonable&quot; protection from eavesdroppers and man-in-the-middle attacks.</p>
<p>HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. If your SSL certificate is not signed by one of these CA's, the browser will display a warning:</p>
<center>
<p><img alt="" src="http://www.turnkeylinux.org/files/images/ssl_error.jpg" /></p>
</center>
<p>TurnKey appliances generate self signed certificates on first boot to provide an encrypted traffic channel, but because the certificates are not signed by a trusted CA, the warning is displayed. In most cases, this is acceptable. If it's not, go get a signed certificate.</p>
<h2>Authoritatively signed certificates</h2>
<h3>Cost</h3>
<p>Authoritatively signed certificates can be costly, for example, Verisign (the most well known CA) charges $1,499 per year for their recommended certificate. There are cheap alternatives (I recently purchased a certificate from Go Daddy for $12.99) as well as a couple of free providers.</p>
<h3>Generate key and CSR</h3>
<p>First up is to create a certificate key and a certificate signing request (CSR). This can be done with OpenSSL.</p>
<pre>
apt-get update
apt-get install openssl
# replace bold type with your info
openssl req -new -newkey rsa:2048 -nodes -out <strong>www_example_com</strong>.csr -keyout <strong>www_example_com</strong>.key -subj &quot;/C=<strong>US</strong>/ST=<strong>Arizona</strong>/L=<strong>Scottsdale</strong>/O=<strong>Example Company Inc.</strong>/CN=<strong>www.example.com</strong>&quot;</pre>
<h3>Submit the CSR</h3>
<p>The above will generate two files, www_example_com.key and www_example.com.csr.</p>
<p>Once you have signed up for an authoritatively signed certificate, you will be requested to upload the CSR file or its contents.</p>
<h3>Verify the request</h3>
<p>The signing authority will need to verify the validity of the request and that it was submitted by the entity to which the domain in the request is registered, usually done by contacting the administrative contact for the domain.</p>
<p>Further steps may be required when requesting an <a href="http://en.wikipedia.org/wiki/Extended_validation">Extended Validation</a> (EV) certificate, which color the address bar green in recent browsers.</p>
<h3>Download signed certificate</h3>
<p>After validation, your signed certificate (crt) will be available for download. Most likely your signing authority will include an intermediate CA certificate bundle (trust chain).</p>
<p>Note: you should make a backup of all SSL related files.</p>
<h3>Generate PEM and placement</h3>
<p>Generate the pem from the key and crt</p>
<pre>
cat www_example_com.key <a href="http://www.example.com.crt" title="www.example.com.crt">www.example.com.crt</a> &gt; cert.pem
</pre>
<p>Place the generated pem and intermediate bundle (eg. bundle.crt) in /etc/ssl/certs/, and make them read-only to root.</p>
<pre>
chown root:root *.pem *.crt
chmod 400 *pem *.crt</pre>
<h3>Update configuration, enable SSL and reload webserver</h3>
<p><strong>Apache configuration</strong></p>
<pre>
&lt;VirtualHost *:443&gt;
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateChainFile /etc/ssl/certs/bundle.crt
&lt;/VirtualHost&gt;</pre>
<pre>
a2enmod ssl</pre>
<pre>
/etc/init.d/apache2 force-reload
</pre>
<p><br />
<strong>Lighttpd configuration</strong></p>
<pre><strong>/etc/lighttpd/conf-available/10-ssl.conf </strong>
$SERVER[&quot;socket&quot;] == &quot;0.0.0.0:443&quot; {
&nbsp;&nbsp;&nbsp; ssl.engine&nbsp; = &quot;enable&quot;
&nbsp;&nbsp;&nbsp; ssl.pemfile = &quot;/etc/ssl/certs/cert.pem&quot;
&nbsp;&nbsp;&nbsp; ssl.ca-file = &quot;/etc/ssl/certs/bundle.crt&quot;
}</pre>
<pre>
lighty-enable-mod ssl
</pre>
<pre>
/etc/init.d/lighttpd force-reload
</pre>
<p><strong><br />
Do you use an authoritatively signed certificate? Is self-signed sufficient? <a href="#comment-form">Leave a comment</a>!</strong></p>http://www.turnkeylinux.org/blog/ssl-certificates#commentssecuritysslWed, 07 Apr 2010 10:25:32 +0000Alon Swartz1140 at http://www.turnkeylinux.orgWe don't need no stinking SSLhttp://www.turnkeylinux.org/blog/we-dont-need-no-stinking-ssl
<p><em>Why we disabled SSL and use an SSH tunnel for web site administration</em></p>
<p>Content managements systems like the one we're using for the web site (Drupal) need to provide a privileged administration interface which you usually want to access securely. Due to the insecure nature of the Internet, it's reasonable to assume your traffic may be intercepted at some point. So how do you prevent that?</p>
<p>Up until recently, we used SSL. You could access the web site from both:</p>
<ul class="simple">
<li><a href="http://www.turnkeylinux.org/" title="http://www.turnkeylinux.org/">http://www.turnkeylinux.org/</a></li>
<li><a href="https://www.turnkeylinux.org/" title="https://www.turnkeylinux.org/">https://www.turnkeylinux.org/</a></li>
</ul>
<p>Unfortunately, as the site grew in complexity this created a range of subtle but annoying paper-cut type problems.</p>
<!--break-->
<p>For example, I configured the site to use a content filter which translates local urls (e.g., /lamp) into absolute urls (e.g., <a href="http://www.turnkeylinux.org/lamp" title="http://www.turnkeylinux.org/lamp">http://www.turnkeylinux.org/lamp</a> ). This is necessary for links and images in blog posts to work correctly in RSS feeds and email updates (e.g., such as those provided by FeedBurner). We didn't want to do that by hand because we were using FCKeditor and IMCE which create local links by default and it wasn't any fun to have to translate every single link into an absolute URL by hand.</p>
<p>The problem is that Drupal cache saves pages AFTER the content filter, so guess what happens to links in pages you access via SSL? The situation could be a mix-up of http and https links which would be potentially confusing to both human visitors and search engines.</p>
<p>More importantly while in theory SSL should have protected our administration credentials in practice it didn't.</p>
<p>Drupal, along with many other web applications doesn't support secure SSL cookies. That means even if you login via SSL your cookie is still transmitted over the clear when you access the site, say accidentally, via HTTP. In a perfect world that might never happen but in practice it's quite a frequent mistake.</p>
<p>An attacker that can intercept your traffic can then intercept the cookie containing your session key and use that to access the site with your privileges.</p>
<p>So using SSL in this way doesn't really add that much security.</p>
<p>OTOH, session keys are temporary where passwords have much longer lifetimes so you still don't want to transmit your password in the clear.</p>
<h2>Alternative: access the site through an SSH tunnel</h2>
<p>So perhaps somewhat unintuitively, after considering our options we decided to turn off SSL and access the web site through an SSH tunnel which serves as a poor man's VPN.</p>
<p>That sounds a bit complicated but it really isn't.</p>
<p>From my ~/.ssh/config:</p>
<pre class="literal-block">
host tkl
DynamicForward 1081
</pre>
<p>Then when I ssh to tkl, which is the VPS which hosts the web site, this creates a virtual socks proxy bound to 127.0.0.1:1081. Constructing the tunnel in this way can be a bit of a hassle but you can set that up to happen automatically (future post).</p>
<p>We then configure SwitchProxy FireFox extension to make it easy to switch to browsing within the tunnel.</p>
<p>Configuration tips:</p>
<ul class="simple">
<li>disable the SwitchProxy toolbar (Views-&gt;Toolbars)</li>
<li>added my staging server test.turnkeylinux.org to &quot;No proxy for...&quot;</li>
</ul>
<p>And then to switch into the tunnel: Tools-&gt;SwitchProxy-&gt;tkl</p>
<p>A nice bonus is that in our case this setup seems to be noticeably snappier than using SSL.</p>http://www.turnkeylinux.org/blog/we-dont-need-no-stinking-ssl#commentsadminsecuritysshsslMon, 15 Feb 2010 06:34:57 +0000Liraz Siri1004 at http://www.turnkeylinux.org